We wanted to provide you with an update on our ongoing investigation into the “blue screen” issues affecting a limited number of customers who installed MS10-015.We have been working around the clock with our customers, partners and several teams at Microsoft to determine the cause of these issues.Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit.We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software.The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state.In every investigated incident, we have not found quality issues with security update MS10-015.Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.

Customers continue to emphasize the importance of quality updates, and that high quality updates encourages quicker deployment.While the issue customers are experiencing with MS10-015 was caused by a malware infection and not a problem with the security update, we wanted to use this event as an opportunity to explain why this issue was not caught during testing, and how we respond to reported issues in our security updates.

This issue was not caught as part of our testing because oftentimes when malware is present, infected systems are put in an unstable state.These types of infections often leave the machine in such an unstable state that it cannot be reliably tested.This is because Malware writers use unsupported and potentially destabilizing methods for compromising machines because they want to keep their malware hidden from anti-malware software. In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded.The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine.Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed.On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.

Microsoft has taken steps to deter tampering with the Windows Kernel using technologies like Kernel Patch Protection (sometimes referred to as PatchGuard) and Kernel Mode Code Signing (KMCS), both of which are enabled in 64-bit systems.These technologies make it possible to detect when integrity checks fail. The different versions of Alureon that we have investigated only infect 32-bit systems and would fail to infect 64-bit systems. That said, it is important to note that running as a standard user instead of using an administrator account is a best practice that in most cases will prevent kernel mode malware from infecting a system. Similarly, keeping anti-virus signatures current will also prevent most malware from infections. Additionally, since we have determined that 64-bit systems are not affected, we are opening Automatic Updates for these platforms.

Customers who are interested in additional technical details of what the Windows Kernel is can learn more here.

Even after security updates are released, the Microsoft Security Response Center’s job is not done.In conjunction with Microsoft Customer Service and Support (CSS), we monitor forums and track customer calls to ensure we respond to reported issues as quickly as possible.On Wednesday, February 10th, we became aware of reports regarding Windows XP SP2 and SP3 systems becoming unable to restart successfully after the installation of MS10-015. The reports were first identified by the MSRC’s monitoring of various online community support forums, a spike in support call volume and telemetry from our Consumer Security Support Center.After reviewing the information we had available, we stopped offering Automatic Update distribution of MS10-015 in order to minimize the potential for widespread customer impact while we investigated these reports.Even though we have stopped distribution through Automatic Update, we have seen a large number of deployments as customers can still deploy the update through Windows Update, WSUS or SMS.

In this situation, our teams needed to get information directly from the affected systems in order to understand the cause.Because we had so few reports and needed to examine the state of the affected systems, the CSS team even drove to customer locations to retrieve machines for analysis.

This past weekend, we worked with the Microsoft Malware Protection Center (MMPC) on the systems that were delivered to Redmond last Friday, and confirmed that all of the affected systems had the Alureon Rootkit installed. The Windows Engineering team then began working to build a test matrix to determine if the malware was related to the reports we have been receiving.To ensure we had identified the root cause of the issue, Windows Engineering tested machines using the test process covering all 32 bit versions of Windows.While this issue could impact any 32bit Windows system that was infected with the malware, since reports are predominately on 32bit versions of Windows XP this test process is described at a high level focusing on that version in the below table:

Phase

Actions

Result on Test Machines

Debug Phase 1

Install Supported Versions of Windows XP

Install all previous updates to bring the Windows Kernel prior to the version updated by MS10-015 to version 5.1.2600.5857.

Install the Alureon Root Kit.

Install MS10-015 / KB977165 Kernel Version 5.1.2600.5913

The system enters a repeated reboot / blue screen

Debug Phase 2

Install Supported Versions of Windows XP

Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857

Install all previous updates to bring the Windows Kernel to Current Version prior to the version updated by MS10-015.

Install the Alureon Root Kit.

Successful boot

Debug Phase 3

Install Windows XP SP3

Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857

Installthe MS10-015 security update the Kernel version to version 5.1.2600.5913

Install the Alureon Root Kit.

Successful boot

Debug Phase 4

Install Supported Versions of Windows XP

Install all previous updates to bring the Windows Kernel to version 5.1.2600.5857

Install MS10-015 to bring the Windows Kernel to version 5.1.2600.5913

Install the Alureon Root Kit.

Uninstall KB977165 setting the Kernel to version 5.1.2600.5857

The machine goes into a rolling reboot

As indicated in the table, the presence of Alureon does not allow for a successful boot of the compromised system. The Windows Engineering team continued testing different configurations, as well as retesting several third party applications, leading to our firm conclusion that the blue screen issue is the result of the Alureon rootkit.

A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk.

While we cannot predict how malware writers will author or modify their code, we are committed to finding new ways to detect issues like this on infected systems. We’re also working on a simpler solution to detect and remove Alureon from affected systems which should be released in a few weeks, as are several other third party vendors.

We will keep you updated here on the MSRC Blog as we have more data and information on the malware and automatic remediation tools.

Mike Reavey

Director, MSRC

*This posting is provided “AS IS” with no warranties, and confers no rights.*